In complex systems such as telecommunications and Information Technology (IT) infrastructures, the potential impacts of security vulnerabilities, even if discovered and disclosed, tend to be difficult to assess in a timely fashion. This is primarily due to the number and nature of these vulnerabilities, as well as the number of assets in such systems. Some assets may also have embedded software layers and other dependencies, which further complicates security assessments.
The capacity to understand and make informed decisions soon after a vulnerability is disclosed is one key aspect of proactive security. Such capacity allows network operators, for example, to understand the security state, i.e., the risk to a network infrastructure, at any given time and assign a priority action list for risk mitigation. Identification of commercial risks associated with relying on data stored and transmitted on network segments during a period of elevated security risk may also be of use in performing a comprehensive security assessment.
One currently available security assessment tool provides models of attack paths. A model may be used to examine how a sequence of attacks based on known vulnerabilities can allow another asset to be attacked. Each relationship between an asset and a vulnerability in the sequence, however, is treated as a single association, such that each attack does not have inherent knowledge of a previous attack in the sequence.
Currently available tools do not distinguish between assets that a vulnerability can exploit, assets it can affect, and assets that can protect against it. As such, these tools have a limited capability to model the reality of complex relationships between assets. This can limit the accuracy and completeness of asset/vulnerability associations and security models generated by such tools.
As a simple example of the limits of current tools, assume that a security vulnerability in a software application may be used to cause a buffer overflow in an operating system, and that remote access to a particular computer system on which the operating system and the software application are executed is prevented by a personal firewall on the computer system. In this case, an attack on the software application may affect the operating system, and the personal firewall protects the software application. Existing tools would model only the relationship between the vulnerability and the software application. The operating system effects might be captured in a description of the vulnerability, but existing tools are not able to determine from such a description that the operating system is also at risk. Furthermore, the protective mechanisms provided by the personal firewall could only be considered in an indirect way, not directly associated with the vulnerability.
Thus, there remains a need for improved techniques for associating security vulnerabilities and assets.